使用unidbg搞的第一个app就如此艰难,大佬能看下这个问题,快崩溃了, app是加固的

[dh15178076212]

[17:24:05 089] WARN [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:533) - handleInterrupt intno=2, NR=192, svcNumber=0x0, PC=RWX@0x401af73e, LR=RWX@0x401af72d, syscall=null java.lang.IllegalStateException: munmap aligned=0x25000, start=0x40001000 at com.github.unidbg.spi.AbstractLoader.munmap(AbstractLoader.java:144) at com.github.unidbg.linux.AndroidElfLoader.mmap2(AndroidElfLoader.java:735) at com.github.unidbg.linux.ARM32SyscallHandler.mmap2(ARM32SyscallHandler.java:1840) at com.github.unidbg.linux.ARM32SyscallHandler.hook(ARM32SyscallHandler.java:346) at com.github.unidbg.arm.backend.UnicornBackend$11.hook(UnicornBackend.java:345) at unicorn.Unicorn$NewHook.onInterrupt(Unicorn.java:128) at unicorn.Unicorn.emu_start(Native Method) at com.github.unidbg.arm.backend.UnicornBackend.emu_start(UnicornBackend.java:376) at com.github.unidbg.AbstractEmulator.emulate(AbstractEmulator.java:380) at com.github.unidbg.thread.Function32.run(Function32.java:39) at com.github.unidbg.thread.MainTask.dispatch(MainTask.java:19) at com.github.unidbg.thread.UniThreadDispatcher.run(UniThreadDispatcher.java:172) at com.github.unidbg.thread.UniThreadDispatcher.runMainForResult(UniThreadDispatcher.java:96) at com.github.unidbg.AbstractEmulator.runMainForResult(AbstractEmulator.java:340) at com.github.unidbg.arm.AbstractARMEmulator.eFunc(AbstractARMEmulator.java:229) at com.github.unidbg.linux.LinuxInitFunction.call(LinuxInitFunction.java:31) at com.github.unidbg.linux.LinuxModule.callInitFunction(LinuxModule.java:141) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:180) at com.github.unidbg.linux.AndroidElfLoader.loadInternal(AndroidElfLoader.java:62) at com.github.unidbg.spi.AbstractLoader.load(AbstractLoader.java:233) at com.github.unidbg.linux.android.dvm.BaseVM.loadLibrary(BaseVM.java:312) at com.tianyancha.skyeye.(skyeye.java:36) at com.tianyancha.skyeye.main(skyeye.java:42) [17:24:05 093] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x4001b6a9[libJMEncryptBox.so]0x1b6a9 exception sp=unidbg@0xbffff6b4, msg=munmap aligned=0x25000, start=0x40001000, offset=7ms [17:24:05 093] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x4000c030, size=1, value=0x0, PC=RX@0x4000c030[libJMEncryptBox.so]0xc030, LR=unidbg@0xffff0000 [17:24:05 093] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x4000c031[libJMEncryptBox.so]0xc031 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms [17:24:05 093] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x40014a0c, size=1, value=0x0, PC=RX@0x40014a0c[libJMEncryptBox.so]0x14a0c, LR=unidbg@0xffff0000 [17:24:05 093] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40014a0d[libJMEncryptBox.so]0x14a0d exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms [17:24:05 094] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x40019c00, size=1, value=0x0, PC=RX@0x40019c00[libJMEncryptBox.so]0x19c00, LR=unidbg@0xffff0000 [17:24:05 094] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40019c01[libJMEncryptBox.so]0x19c01 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms [17:24:05 094] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x4001d364, size=1, value=0x0, PC=@0x4001d364[libJMEncryptBox.so]0x1d364, LR=unidbg@0xffff0000 [17:24:05 094] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate @0x4001d365[libJMEncryptBox.so]0x1d365 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms [17:24:05 094] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x400232a4, size=1, value=0x0, PC=@0x400232a4[libJMEncryptBox.so]0x232a4, LR=unidbg@0xffff0000 [17:24:05 094] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate @0x400232a5[libJMEncryptBox.so]0x232a5 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=0ms [17:24:05 097] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:64) - Fetch memory failed: address=0x40005430, size=1, value=0x0, PC=RX@0x40005430[libJMEncryptBox.so]0x5430, LR=unidbg@0xffff0000 [17:24:05 097] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:420) - emulate RX@0x40005431[libJMEncryptBox.so]0x5431 exception sp=unidbg@0xbffff720, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=1ms Exception in thread "main" java.lang.IllegalStateException: Illegal JNI version: 0xffffffff at com.github.unidbg.linux.android.dvm.BaseVM.checkVersion(BaseVM.java:207) at com.github.unidbg.linux.android.dvm.DalvikModule.callJNI_OnLoad(DalvikModule.java:39) at com.tianyancha.skyeye.(skyeye.java:37) at com.tianyancha.skyeye.main(skyeye.java:42)

[dh15178076212]

// 这里是代码 package com.tianyancha;

import com.github.unidbg.AndroidEmulator; import com.github.unidbg.Module; import com.github.unidbg.file.FileIO; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.AbstractJni; import com.github.unidbg.linux.android.dvm.*; import com.github.unidbg.linux.android.dvm.array.ByteArray; import com.github.unidbg.memory.Memory;

import java.io.File; import java.security.MessageDigest; import java.util.Arrays;

public class skyeye extends AbstractJni { private final AndroidEmulator emulator; private final VM vm; private final DalvikModule dm; private final Module module;

skyeye() {
    emulator = AndroidEmulatorBuilder.for32Bit().setProcessName("com.tianyancha.skyeye").build();

    // 2.设置安卓sdk
    Memory memory = emulator.getMemory();
    memory.setLibraryResolver(new AndroidResolver(23));

    // 3.创建安卓虚拟机
    vm = emulator.createDalvikVM(new File("data/tyc2/tianyancha10.8.0.apk"));
    vm.setJni(this);
    vm.setVerbose(true); // 设置是否打印Jni调用细节, true / false

    // 4.加载目标so文件到 unicorn虚拟内存，加载成功以后会默认调用init_array等函数
    dm = vm.loadLibrary(new File("data/tyc2/libJMEncryptBox.so"), false);
    dm.callJNI_OnLoad(emulator); // 手动执行JNI_OnLoad函数 (静态注册无需执行这一步)
    module = dm.getModule();
}

public static void main(String[] args) throws Exception {
    skyeye skyeyeobj = new skyeye();
    byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
    byte[] arr = skyeyeobj.encryptToBytesFromBytes(inputByte);
    System.out.println(Arrays.toString(arr));

// skyeyeobj.call_address(); }

public void call_address() {
    byte[] inputByte = "imei-not-exist#@#0#@#1701937912731#@#tyc#@#78fe7353ce852fb0".getBytes();
    Number number = module.callFunction(
            emulator,
            0x584d,
            vm.getJNIEnv(),
            vm.addLocalObject(new ByteArray(vm, inputByte))
    );
    byte[] resArr = (byte[]) vm.getObject(number.intValue()).getValue();

// System.out.println(Arrays.toString(resArr.getBytes())); System.out.println(Arrays.toString(resArr)); }

public byte[] encryptToBytesFromBytes(byte[] bArr) throws Exception {
    DvmClass cls = vm.resolveClass("com/ijiami/JMEncryptBoxByRandom");
    String method = "encryptByRandomType2([B)[B";
    ByteArray arr = cls.callStaticJniMethodObject(
            emulator,
            method,
            new ByteArray(vm, bArr)
    );
    return arr.getValue();
}

@Override
public DvmObject<?> callObjectMethodV(BaseVM vm, DvmObject<?> dvmObject, String signature, VaList vaList) {
    if (signature.equals("android/app/ActivityThread->getApplication()Landroid/app/Application;")) {
        DvmClass cContext = vm.resolveClass("android/content/Context");
        DvmClass cContextWrapper = vm.resolveClass("android/content/ContextWrapper", cContext);
        DvmObject<?> cNative = vm.resolveClass("android/app/Application", cContextWrapper);
        return ((DvmClass) cNative).newObject(null);
    }
    return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}

@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
    JMEncryptBox jmbox = new JMEncryptBox();
    if (signature.equals("com/ijiami/JMEncryptBox->getFinger(Ljava/lang/String;[B)Ljava/lang/String;")) {
        return new StringObject(vm, jmbox.getFinger((String) vaList.getObjectArg(0).getValue(), (byte[]) vaList.getObjectArg(1).getValue()));
    }
    return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}

}

class JMEncryptBox { public String getFinger(String s, byte[] arr_b) { try { return toHexString(MessageDigest.getInstance(s).digest(arr_b)); } catch (Exception exception0) { exception0.printStackTrace(); System.out.println("ERROR2"); return "ERROR2"; } }

public String toHexString(byte[] arr_b) {
    StringBuffer stringBuffer0 = new StringBuffer();
    int v;
    for (v = 0; v < arr_b.length; ++v) {
        byte2hex(arr_b[v], stringBuffer0);
    }

    return stringBuffer0.toString();
}

public static void byte2hex(byte b, StringBuffer stringBuffer0) {
    char[] arr_c = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
    stringBuffer0.append(arr_c[(b & 0xF0) >> 4]);
    stringBuffer0.append(arr_c[b & 15]);
}

}

[dh15178076212]

资源链接: https://www.123pan.com/s/i7najv-bk6jv.html

[heckerstone]

单独处理下NR=192

[dh15178076212]

@heckerstone NR=192 这个是什么? 求大佬指点

[huanglaoji365]

同求大佬指点

[yangxiaopao]

@heckerstone NR=192 这个是什么? 求大佬指点

https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#arm-32_bit_EABI

nr表

[zcybupt]

老哥后来搞定了吗？

[dh15178076212]

没有,不搞了,你呢

[zcybupt]

没有,不搞了,你呢

我改用 Frida 调用了，能生成 Authorization 字段就行